CB Response: Process Search Returning Events that Should be Negated
Article ID: 291618
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When using a negated query, results can sometimes return events with the negated information.
Environment
- Carbon Black Response Console: 6.x and Higher
Cause
Long running process that expands over multiple Solr cores.
Resolution
Issue is being investigated in CB-30483. This article will be updated once a target release version and date is known.
Additional Information
- Solr documents are split into segments. At each new event submit a new segment is created in the document
- By default, a Solr core contains 3 days worth of data before being rolled over
- If a long running process is continued after a core rollover, there is a possibility that the returned data will contain the negated information depending on which segment and core the match hits on
- Comprehensive search is used to join segments when there is a AND or - operator in the search query. This does not join over to multiple cores
- Please subscribe to this KB article for updates on CB-30483 and fix
Feedback
Yes
No
Powered by
